Category:Radio stations in Egypt
Category:Shabi
Category:Radio stations in CairoQ:
how to block AJAX requests from the client
I have a MVC4 app with JQuery. I am building a web app that is using dynamic lists of records and filter options. The problem is that the filter options are being passed to the server via AJAX requests. This is a security issue because a third party could trick the user into submitting a filter option to filter the records by an innocent looking search string (e.g. mail address).
Can someone suggest a good way to prevent this in a MVC4 app?
I need the same functionality in an ASP.Net app.
A:
I am assuming that you have users submitting content to your site and that you would like to prevent them from being able to search for users by entering address in the title of a news article for example.
The two most effective things to prevent are Cross Site Scripting, which exploits browsers, and Cross Site Request Forgery, which exploits the ability to make requests to a server.
I am going to focus on Cross Site Scripting, but for more details about CSRF you should look at the OWASP page.
To prevent Cross Site Scripting you can perform a bit of validation at the server-side and that can help prevent injection but it is not really a good solution. However, it would be good to put a message up to the user that warns them about unexpected content.
The best way to prevent CSRF is to use tokens, with an anti-CSRF plugin. Token-based CSRF solutions are discussed further in this OWASP blog post.
When you get these on the server side, you can easily prevent your server from performing the query by adding a header to the request.
If you are sending the token in the header you must make sure you have a way to retrieve the token back on the client-side. The example below does this by putting the token in the query string:
When the form is submitted, the value in the query string will be automatically passed on to the server. If you were using CSRF tokens you can automatically pass be359ba680
Related links: